From the NGFW or Panorama CLI, you can override the existing application tag even if Disable Override is enabled for the application (ObjectsApplications) tag.

The auto commit job may take longer than expected to complete when the Panorama management server is in Panorama or Log Collector mode.

The autocommit time of the VM-Series firewall running PAN-OS 11.1.0 might take longer than expected.

Configured botnet reports (MonitorBotnet) are not generated.

When a DHCPv6 client is configured on HA Active/Passive firewalls, if the DHCPv6 server goes down, after the lease time expires, the DHCPv6 client should enter SOLICIT state on both the Active and Passive firewalls. Instead, the client is stuck in BOUND state with an IPv6 address having lease time 0 on the Passive firewall.

When a DHCPv6 client is configured on HA Active/Passive firewalls, the Passive firewall sometimes crashes.

For M-700 appliances in an active/passive high availability (PanoramaHigh Availability) configuration, the active-primary HA peer configuration sync to the secondary-passive HA peer may fail. When the config sync fails, the job Results is Successful (Tasks), however the sync status on the Dashboard displays as Out of Sync for both HA peers.

Workaround: Perform a local commit on the active-primary HA peer and then synchronize the HA configuration.

If you disable Advanced Routing, remove logical routers, and downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release, subsequent commits fail and SD-WAN devices on Panorama have no Virtual Router name.

When a DHCPv6 client is configured on HA Active/Passive firewalls, releasing the IPv6 address from the client (using Release in the UI or using the request dhcp client ipv6 release all CLI command) releases the IPv6 address from the Active firewall, but not the Passive firewall.

The Dedicated Log Collector is unable to reconnect to the Panorama management server if the configd process crashes. This results in the Dedicated Log Collector losing connectivity to Panorama despite the managed collector connection Status (PanoramaManaged Collector) displaying connected and the managed colletor Health status displaying as healthy.

This results in the local Panorama config and system logs not being forwarded to the Dedicated Log Collector. Firewall log forwarding to the disconnected Dedicated Log Collector is not impacted.

Workaround: Restart the mgmtsrvr process on the Dedicated Log Collector.

The PAN-OS ACC (Application Command Center) does not display a widget detailing statistics and data associated with vulnerability exploits that have been detected using inline cloud analysis.

(PA-1400 Series firewalls only) In NetworkInterfaceEthernet, the power over Ethernet (PoE) ports do not display a Tag value.

On the Panorama management server, pushing a configuration change to firewalls leveraging SD-WAN erroneously show the auto-provisioned BGP configurations for SD-WAN as being edited or deleted despite no edits or deletions being made when you Preview Changes (CommitPush to DevicesEdit Selections or CommitCommit and PushEdit Selections).

(PA-1400 Series firewalls only) When using the CLI to configure power over Ethernet (PoE) on a non-PoE port, the CLI prints an error depending on whether an interface type was selected on the non-PoE port or not. If an interface type, such as tap, Layer 2, or virtual wire, was selected before PoE was configured, the error message will not include the interface name (eg. ethernet1/4). If an interface type was not selected before PoE was configured, the error message will include the interface name.

(PA-1400 Series firewalls only) In NetworkInterfaceEthernet, hovering the mouse over a power over Ethernet (PoE) Link State icon does not display link speed and link duplex details.

On the Panorama management server, the Template Status displays no synchronization status (PanoramaManaged DevicesSummary) after a bootstrapped firewall is successfully added to Panorama.

Workaround: After the bootstrapped firewall is successfully added to Panorama, log in to the Panorama web interface and select CommitPush to Devices.

The configured Advanced Threat Prevention inline cloud analysis action for a given model might not be honored under the following condition: If the firewall is set to Hold client request for category lookup and the action set to Reset-Both and the URL cache has been cleared, the first request for inline cloud analysis will be bypassed.

Templates appear out-of-sync on Panorama after successfully deploying the CFT stack using the Panorama plugin for AWS.

Workaround: Use CommitPush to Devices to synchronize the templates.

Scheduled report emails (MonitorPDF ReportsEmail Scheduler) are not emailed if:

Workaround: To receive a scheduled report email for all other PDF report types:

Using the CLI to add a RAID disk pair to an M-700 appliance causes the dmdb process to crash.

Workaround: Contact customer support to stop the dmdb process before adding a RAID disk pair to a M-700 appliance.

Static IP addresses are not recognized when "and" operators are used with IP CIDR range.

If you use multiple log forwarding cards (LFCs) on the PA-7000 series, all of the cards may not receive all of the updates and the mappings for the clients may become out of sync, which causes the firewall to not correctly populate the Source User column in the session logs.

On the Panorama management server, pushes to managed firewalls (CommitPush to Devices or Commit and Push) may fail when an EDL (ObjectsExternal Dynamic Lists) is configured to Check for updates every 5 minutes due to the commit and EDL fetch processes overlapping. This is more likely to occur when multiple EDLs are configured to check for updates every 5 minutes.